Before delving into this topic, the understanding of chmod and chown are compulsory here because these are the base for this topic. So, first understand chmod and chown command and read about these command. Let’s move with a basic introduction about these command.
- setuid: a bit that makes an executable run with the privileges of the owner of the file
- setgid: a bit that makes an executable run with the privileges of the group of the file
- sticky bit: a bit set on directories that allows only the owner or root can delete files and sub-directories
After reading this basic introductory you have roughly understand what these command are used for. Now, lets move more deeply understanding of these command and there uses.
In which case do these commands are used for?
For instance, let say a normal user want to execute the root permission file but being a root user you don’t want to give credential to the normal user in order to execute the file.So, in this case, setuid and setgid comes to solve the problem where normal user can execute the root permission file. You may be wondering how in practical setuid and setgid going to solve the problem. We will come into this topic but before this I want you to know using chmod we can prevent other user and group from basic operation which is read, write and execute. This preventing content is described in below which is obviously without setuid or setgid.
How Commands Work Without setuid or setgid?
Let’s walk through a simple example using the ls command. We have two subdirectories in our /topsecretfolder: secret1 and secret2. Both subdirectories are owned by root. The secret1 sub-directory allows read and execute permissions to everyone else. The secret2 subdirectory grants no privileges to everyone else.
cristinorolando@LAPTOP-CR7:/topsecretfolder$ ls -l
total 8
drwxrwxr-x 2 root root 4096 Oct 18 19:34 secret1
drwxrwx— 2 root root 4096 Oct 18 19:31 secret2
cristinorolando@LAPTOP-CR7:/topsecretfolder$When we try to list files in /topsecretfolder/secret1, the system grants ls access based on the privileges tied to our “cristinorolando” uid/gid.
cristinorolando@LAPTOP-CR7:/topsecretfolder$ ls secret1
pepperNeggRecipe.txt
cristinorolando@LAPTOP-CR7:/topsecretfolder2$However, when we try the same thing on topsecretfolder/secret2, we get a permission denied message. That’s because when running with our “cristinorolando” account’s privileges, the system denies ls access to the secret2 subdirectory.
cristinorolando@LAPTOP-CR7:/topsecretfolder$ ls secret2
ls: cannot open directory ‘secret2’: Permission denied
cristinorolando@LAPTOP-CR7:/topsecretfolder3$If we switch to the root (or use sudo) account, ls works fine on the secret2 subdirectory. This makes sense because now ls has the privileges associated with the root user.
cristinorolando@LAPTOP-CR7:/topsecretfolder# ls secret2
GiardinieraRecipe.txt
cristinorolando@LAPTOP-CR7:/topsecretfolder#How setuid/setgid works?
Before, I mention a case where normal user has to execute the root permission file.The textbook case for this is the passwd command that allows users to change their own password. Changing your password inherently requires changing the /etc/shadow file. However, only the root user has write access to /etc/shadow
cristinorolando@LAPTOP-CR7:~$ ls -l /etc/shadow
-rw-r—– 1 root shadow 1824 Oct 18 19:49 /etc/shadow
cristinorolando@LAPTOP-CR7:~$Under normal circumstances, that suggests we’d need to be root or have sudo privileges to change our password. However, normal users can execute the passwd command to change their own password without sudo or root permissions.
cristinorolando@LAPTOP-CR7:~$ passwd
Changing password for cristinorolando.
Current password:
New password:
Retype new password:
passwd: password updated successfully
cristinorolando@LAPTOP-CR7:~1$To understand why passwd seemingly grants root-level access but ls doesn’t, let’s take a look at the permissions on those two executables.
cristinorolando@LAPTOP-CR7:~$ ls -l /bin/ls
-rwxr-xr-x 1 root root 142144 Sep 5 2019 /bin/ls
cristinorolando@LAPTOP-CR7:~$ ls -l /bin/passwd
-rwsr-xr-x 1 root root 68208 May 28 01:37 /bin/passwd
cristinorolando@LAPTOP-CR7:~$Both executables are owned by the root user and group, and there is only one difference in the permissions. As you can see, the passwd executable has an “s” where you’d expect an “x” for the file owner’s permissions. This “s” tells us the setuid bit is set.
Because the setuid bit is set, when we run the passwd command it is automatically executed as the owner of the file. Since root is the owner, the password change and required edit to /etc/shadow work.
The setgid bit is also an “s”, but in the execute position for the group that owns the file. For example, like what we see here on the wall executable in Ubuntu:
cristinorolando@LAPTOP-CR7:~$ ls -l /usr/bin/wall
-rwxr-sr-x 1 root tty 35048 Apr 2 2020 /usr/bin/wall
cristinorolando@LAPTOP-CR7:~$Given those permissions, we know when we run the wall command, it will run with the privileges of the tty group.
What About the Sticky Bit?
In early Unix systems, the sticky bit was used to retain part of a program in swap space after a process exited. This had the effect of making programs load faster. However, that’s not what the sticky bit does on modern Linux systems.
Today, the sticky bit restricts who can delete files in a directory on Linux systems. Specifically, when the sticky bit is set, only the user that owns, the user that owns the directory, or the root user can delete files within the directory. In some cases, the sticky bit is more intuitively referred to as a “restricted deletion flag” or “restricted deletion bit”.
The /tmp directory is one of the most common use cases for the sticky bit. Files are frequently created in /tmp for different user accounts during normal operation of many multi-user systems. If users were able to delete one another’s /tmp files, it could wreak havoc on how different applications work.
First, we’ll start with a /recipes directory owned by the “cooluser” user and group.
cristinorolando@LAPTOP-CR7:~$ ls -ld /recipes/
drwxrwxrwx 2 cristinorolando cristinorolando 4096 Oct 24 18:06 /recipes/
cristinorolando@LAPTOP-CR7:~$Next, we’ll set the sticky bit with chmod +t /recipes/.
cristinorolando@LAPTOP-CR7:/$ chmod +t /recipes/
cristinorolando@LAPTOP-CR7:/$ ls -ld recipes/
drwxrwxrwt 2 cristinorolando cristinorolando 4096 Oct 24 19:00 recipes/
cristinorolando@LAPTOP-CR7:~$We can see that command added a “t” to the end of the directory permissions. That “t” tells us the sticky bit is set. To test that theory, let’s confirm our “seconduser” account can create files in the directory but not delete files owned by “cooluser”.
First, as our “seconduser” we’ll cd to /recipes/ and then we’ll use touch to create a file.
cristinorolando@LAPTOP-CR7:/recipes$ touch giardiniera.txt
cristinorolando@LAPTOP-CR7:/recipes$ ls -l
total 4
-rw-r–r– 1 seconduser seconduser 0 Oct 24 19:18 giardiniera.txt
-rw-r–r– 1 cristinorolando cristinorolando 83 Oct 24 19:08 pepperNegg.txt
cristinorolando@LAPTOP-CR7:/recipes$That worked, so now let’s see if we can delete the file “cristinorolando” owns.
seconduser@LAPTOP-5V55HON5:/recipes$ rm pepperNegg.txt
rm: remove write-protected regular file ‘pepperNegg.txt’? y
rm: cannot remove ‘pepperNegg.txt’: Operation not permitted
seconduser@LAPTOP-5V55HON5:/recipes$We can’t! Which means the sticky bit did its job. Normally, if we have write permissions to the directory, we can delete files within it. However, in this case the sticky bit stopped us.
Setting the setuid bit
We can use chmod to set the setuid bit. Like with other permissions, it can be done symbolically or using octal values (numbers 0-7).
To set the setuid bit symbolically, we can use chmod u+s </path/to/the/file>.
cristinorolando@LAPTOP-CR7:~$ chmod u+s pepperNeggMaker.sh
cristinorolando@LAPTOP-CR7:~$ ls -l
total 0
-rwsr-xr-x 1 cristinorolando cristinorolando 0 Oct 24 19:37 pepperNeggMaker.sh
cristinorolando@LAPTOP-CR7:~$To set the setuid bit using octal representation we can add “4” to the front of our standard octal permissions. For example, chmod 4755 </path/to/the/file> would give the owner read, write, and execute permissions, the user and group read and execute, and set the setuid bit.
cristinorolando@LAPTOP-CR7:~$ chmod 4755 giardinieraMixer.sh
cristinorolando@LAPTOP-CR7:~$ ls -l
total 0
-rwsr-xr-x 1cristinorolando cristinorolando 0 Oct 24 19:47 giardinieraMixer.sh
cristinorolando@LAPTOP-CR7:~$Setting the setgid bit
The setgid bit can be set in a similar fashion to the setuid bit. We simply swap the “u” to a “g” in symbolic format:
cristinorolando@LAPTOP-CR7:~$ chmod g+s pepperNeggMaker.sh
cristinorolando@LAPTOP-CR7:~$ ls -l
total 0
-rwxr-sr-x 1 cristinorolando cristinorolando 0 Oct 24 20:04 pepperNeggMaker.sh
cristinorolando@LAPTOP-CR7:~$And the “4” to a “2” in octal format:
cristinorolando@LAPTOP-CR7:~$ chmod 2755 pepperNeggMaker.sh
cristinorolando@LAPTOP-CR7:~$ ls -l
total 0
-rwxr-sr-x 1 cristinorolando cristinorolando 0 Oct 24 20:04 pepperNeggMaker.sh
cristinorolando@LAPTOP-CR7:~$Setting the sticky bit
We can set the sticky bit on directories symbolically with chmod +t :
cristinorolando@LAPTOP-CR7:~$ chmod +t BreakFastSpecials/
cristinorolando@LAPTOP-CR7:/tmp$ ls -ld BreakFastSpecials/
drwxrwxrwt 2 cristinorolando cristinorolando 4096 Oct 24 20:11 BreakFastSpecials/
cristinorolando@LAPTOP-CR7:/tmp$Or using octal values and putting “1” in front of our standard permissions:
cristinorolando@LAPTOP-CR7:~$ chmod 1755 BreakFastSpecials/
cristinorolando@LAPTOP-CR7:/tmp$ ls -ld BreakFastSpecials/
drwxrwxrwt 2 cristinorolando cristinorolando 4096 Oct 24 20:11 BreakFastSpecials/
cristinorolando@LAPTOP-CR7:/tmp$Listing all files with the setuid or setgid bit set
If you want to find all files, starting from the root directory, with the setuid or setgid bit enabled, find from the GNU Findutils available on many *nix systems offers one of the easiest methods:
$ sudo find / -perm /6000 -type fListing all directories with the sticky bit set
Like with our command to find all files with the setuid or setgid bit set, find from GNU’s Findutils can help here:
$ sudo find / -perm /1000Final Thoughts
Hope, this content helps you the understand the setuid, setgid and stickybit. If you have any question, you are free to reach through me a comment.